What the vulnerability does
01Description
The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns.
Explanation of Vulnerability in Simple Terms
02Summary
Ninja Countdown | Fastest Countdown Builder versions 1.5.0 and earlier lack proper authorization checks, allowing authenticated users to modify countdown data they should not have access to. An attacker with a low-privilege account can alter countdowns belonging to other users or the site. Update to a version newer than 1.5.0 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify countdown timers and settings belonging to other users or the site.
Potential impact on your site
04Site Impact
Countdowns can be altered or defaced by any authenticated user, disrupting site content and user experience.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
November 11, 2025
CVE published
April 8, 2026
Record updated